William--
What you've received is a probe by a machine infected with Code Red or
similar.
The fact that it's from an IP address in AOL's range is just a coincidence.
Whilst it could be one of AOL's own servers that has been infected and is
trying to spread, it more likely to be one of it's users with an infected
machine.
All you have to do is make sure that if you're running IIS (server or
personal version) that you are properly patched.
Russell
From: "william.wells" <[EMAIL PROTECTED]>
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Date: Tue, 11 Sep 2001 17:38:05 -0500
Subject: (no subject)
My PC is loaded with intrusion detection and other types of software.
For
the first time, AOL has tripped one of those alarms. The message
indicated
that a connection from AOL's system 172.165.224.93
(ACA5E05D.ipt.aol.com)
attempted to scan my PC on port 80 with the URL of:
GET /default.ida?XXXXXXXXX...XXX%u9090%u685......
I've currently got AOL disabled at my firewall as a result. Normally,
the
firewall only lets ports 5190 out and only to AOL's systems. The
implication
of this is that, once connected to AOL, they allow both inbound and
outbound
connections. The system (172.165.224.93) also isn't one of the
permitted IP
addresses for which the firewall will allow connections to. A
traceroute,
however, clearly showed that the packet when through AOL's adapter
running
on Windows.
Comments?
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
